Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle tags when converting policies to rules #1872

Open
VeraBE opened this issue Nov 18, 2022 · 2 comments
Open

Handle tags when converting policies to rules #1872

VeraBE opened this issue Nov 18, 2022 · 2 comments
Labels
bug Something isn't working feature: policy-as-rules Issues that related to exporting policy as rules.

Comments

@VeraBE
Copy link
Contributor

VeraBE commented Nov 18, 2022

Description of the issue

Tags are not handled by Export-AzPolicyAssignmentRuleData

To Reproduce

Steps to reproduce the issue:

Run Get-AzPolicyAssignmentDataSource | Export-AzPolicyAssignmentRuleData -Verbose against an assignment file with this content:

[
    {
        "Identity":  null,
        "Location":  null,
        "Name":  "12e4c75dcb1d3c43",
        "ResourceId":  "...",
        "ResourceName":  "12e4c75dcb1d3c43",
        "ResourceGroupName":  null,
        "ResourceType":  "Microsoft.Authorization/policyAssignments",
        "SubscriptionId":  null,
        "Sku":  null,
        "PolicyAssignmentId":  "...",
        "Properties":  {
                           "Scope":  "...",
                           "NotScopes":  null,
                           "DisplayName":  "...",
                           "Description":  "...",
                           "Metadata":  {
                                            "createdBy":  "d5f68f99-e07e-4453-add5-cebdba7b3c92",
                                            "createdOn":  "2020-05-12T22:14:43.4731105Z",
                                            "updatedBy":  "d5f68f99-e07e-4453-add5-cebdba7b3c92",
                                            "updatedOn":  "2022-05-10T22:06:19.9892111Z"
                                        },
                           "EnforcementMode":  0,
                           "PolicyDefinitionId":  "...",
                           "Parameters":  {
                                              "allowedLocations":  {
                                                                       "value":  [
                                                                                     "centraluseuap",
                                                                                     "eastus2euap",
                                                                                     "westcentralus",
                                                                                     "northcentralus",
                                                                                     "westus",
                                                                                     "eastasia",
                                                                                     "australiacentral",
                                                                                     "australiaeast",
                                                                                     "canadacentral",
                                                                                     "northeurope",
                                                                                     "japaneast",
                                                                                     "koreacentral",
                                                                                     "uksouth",
                                                                                     "centralus",
                                                                                     "eastus",
                                                                                     "westus2",
                                                                                     "francecentral",
                                                                                     "southafricanorth",
                                                                                     "germanynorth",
                                                                                     "norwayeast",
                                                                                     "switzerlandnorth",
                                                                                     "uaenorth",
                                                                                     "southeastasia",
                                                                                     "australiacentral2",
                                                                                     "australiasoutheast",
                                                                                     "canadaeast",
                                                                                     "westeurope",
                                                                                     "japanwest",
                                                                                     "koreasouth",
                                                                                     "ukwest",
                                                                                     "eastus2",
                                                                                     "southcentralus",
                                                                                     "brazilsouth",
                                                                                     "francesouth",
                                                                                     "southafricawest",
                                                                                     "germanywestcentral",
                                                                                     "norwaywest",
                                                                                     "uaecentral",
                                                                                     "switzerlandwest",
                                                                                     "brazilus",
                                                                                     "global",
                                                                                     "brazilsoutheast",
                                                                                     "westus3",
                                                                                     "swedencentral",
                                                                                     "swedensouth",
                                                                                     "jioindiawest",
                                                                                     "jioindiacentral",
                                                                                     "centralindia",
                                                                                     "southindia",
                                                                                     "westindia",
                                                                                     "qatarcentral",
                                                                                     "qatarcentral2",
                                                                                     "eastusslv",
                                                                                     "israelcentral",
                                                                                     "polandcentral",
                                                                                     "taiwannorth",
                                                                                     "taiwannorthwest",
                                                                                     "italynorth"
                                                                                 ]
                                                                   },
                                              "effect":  {
                                                             "value":  "AuditIfNotExists"
                                                         },
                                              "tagname":  {
                                                              "value":  "SQLADSExcluded"
                                                          }
                                          },
                           "NonComplianceMessages":  null
                       },
        "PolicyDefinitions":  [
                                  {
                                      "Name":  "386c8ebacef0fc43",
                                      "ResourceId":  "...",
                                      "ResourceName":  "386c8ebacef0fc43",
                                      "ResourceType":  "Microsoft.Authorization/policyDefinitions",
                                      "SubscriptionId":  null,
                                      "Properties":  {
                                                         "Description":  null,
                                                         "DisplayName":  "...",
                                                         "Metadata":  {
                                                                          "createdBy":  "d5f68f99-e07e-4453-add5-cebdba7b3c92",
                                                                          "createdOn":  "2020-05-12T22:14:42.9642707Z",
                                                                          "updatedBy":  null,
                                                                          "updatedOn":  null
                                                                      },
                                                         "Mode":  "All",
                                                         "Parameters":  {
                                                                            "allowedLocations":  {
                                                                                                     "type":  "Array",
                                                                                                     "metadata":  {
                                                                                                                      "displayName":  "Allowed locations",
                                                                                                                      "description":  "The list of locations that can be specified when deploying resources.",
                                                                                                                      "strongType":  "location"
                                                                                                                  }
                                                                                                 },
                                                                            "tagname":  {
                                                                                            "type":  "String",
                                                                                            "metadata":  {
                                                                                                             "displayName":  "Exclusion Tag Name",
                                                                                                             "description":  "Rule is not deployed if this tag exists on the SQL Server"
                                                                                                         }
                                                                                        },
                                                                            "effect":  {
                                                                                           "type":  "String",
                                                                                           "metadata":  {
                                                                                                            "displayName":  "Effect",
                                                                                                            "description":  "Enable or disable the execution of the policy"
                                                                                                        },
                                                                                           "allowedValues":  [
                                                                                                                 "AuditIfNotExists",
                                                                                                                 "Disabled"
                                                                                                             ],
                                                                                           "defaultValue":  "AuditIfNotExists"
                                                                                       }
                                                                        },
                                                         "PolicyRule":  {
                                                                            "if":  {
                                                                                       "allOf":  [
                                                                                                     {
                                                                                                         "field":  "type",
                                                                                                         "equals":  "Microsoft.Sql/servers"
                                                                                                     },
                                                                                                     {
                                                                                                         "field":  "location",
                                                                                                         "in":  "[parameters(\u0027allowedLocations\u0027)]"
                                                                                                     },
                                                                                                     {
                                                                                                         "field":  "[concat(\u0027tags[\u0027, parameters(\u0027tagname\u0027), \u0027]\u0027)]",
                                                                                                         "exists":  "false"
                                                                                                     },
                                                                                                     {
                                                                                                         "value":  "[resourceGroup().tags[parameters(\u0027tagname\u0027)]]",
                                                                                                         "equals":  ""
                                                                                                     },
                                                                                                     {
                                                                                                         "value":  "[subscription().tags[parameters(\u0027tagname\u0027)]]",
                                                                                                         "equals":  ""
                                                                                                     }
                                                                                                 ]
                                                                                   },
                                                                            "then":  {
                                                                                         "effect":  "[parameters(\u0027effect\u0027)]",
                                                                                         "details":  {
                                                                                                         "type":  "Microsoft.Sql/servers/securityAlertPolicies",
                                                                                                         "name":  "default",
                                                                                                         "existenceCondition":  {
                                                                                                                                    "field":  "Microsoft.Sql/servers/securityAlertPolicies/disabledAlerts[*]",
                                                                                                                                    "equals":  ""
                                                                                                                                }
                                                                                                     }
                                                                                     }
                                                                        },
                                                         "PolicyType":  1
                                                     },
                                      "PolicyDefinitionId":  "..."
                                  }
                              ]
    }
]

I cleaned up all the information that was potentially private replacing it with "..."

Error output

Export-AzPolicyAssignmentRuleData : An error occurred evaluating expression '[resourceGroup().tags[parameters('tagname')]]' line 161. Object reference not set to an instance of an object.
At C:\Users\verabo.REDMOND\OneDrive - Microsoft\Documents\Policy\WithPSRule\policy.ps1:7 char:36
+ ... ataSource | Export-AzPolicyAssignmentRuleData -OutputPath "rulesFromP ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: ({
  "name": "3...onId": "..."
}:JObject) [Export-AzPolicyAssignmentRuleData], ExpressionEvaluationException
    + FullyQualifiedErrorId : System.NullReferenceException,Export-AzPolicyAssignmentRuleData

Module in use and version:

  • Module: PSRule.Rules.Azure
  • Version: I ran the version in the main branch up to the latest commit now (ef1570a)

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      5.1.22621.608
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.608
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
@VeraBE VeraBE added bug Something isn't working feature: policy-as-rules Issues that related to exporting policy as rules. labels Nov 18, 2022
@BernieWhite
Copy link
Collaborator

@VeraBE Thanks for reporting the issue.

@BernieWhite
Copy link
Collaborator

BernieWhite commented Nov 21, 2022
edited
Loading

Tags for the parent resource group or subscription are tricky we'll need to add support for this ([resourceGroup().tags[parameters('tagname')]]).

Currently we are resolving most of the policy at rule export however we won't be able to resolve these context variables because they are associated with the resource, which is not known when the policy is converted to a rule.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working feature: policy-as-rules Issues that related to exporting policy as rules.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@VeraBE @BernieWhite